08-05-2015 03:12 PM - edited 08-05-2015 03:15 PM
Hello, thanks for your help. We have an SSID with 802.1x WPA2 auth. Currently when windows laptops connect to the SSID they have to uncheck "validate server certificate" in order to not get a warning when they sign on to the wifi. Our clearpass RADIUS certificate is from our Active Directory domain controller/CA. Our clearpass server's hostname for sake of argument is clearpass.corp.abc.biz We have a wildcard cert from godaddy that is for *.corp.abc.biz
If I replace the current Clearpass RADIUS server certificate (from our Active Domain Controller) with the GoDaddy cert, will this cause any disruption to our wifi clients? Will they have to "forget" the wifi network and reconnect? Will this cause authentication to fail? Thanks.
08-05-2015 03:14 PM
Sorry for any typos sent from my mobile
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
08-05-2015 03:14 PM - edited 08-05-2015 03:18 PM
You should not use a wildcard certificate for RADIUS. You will need to request a standard SSL certificate.
Once you do that, since clients are configured to not validate the cert ( not recommended), the clients should still be able to authenticate successfully.
Also, it sounds like you are referring to the informational box that pops up asking you trust the certificate? Using a public certificate will not stop this message. This is a normal part of EAP-PEAP. The only way for that message to not appear during the first connection is to preconfigure your clients using something like Group Policy, Profile Manager, MDM, QuickConnect, etc.
08-05-2015 03:32 PM - edited 08-05-2015 03:34 PM
Thanks guys. We currently have to uncheck this box in order to sign on to the wifi. I was hoping by replacing my Clearpass Radius certificate (from my Domain controller) with the GoDaddy one that we would no longer have to uncheck this box. But maybe this is not the case? Thanks.
08-05-2015 03:35 PM
Yes. You should never uncheck validate server certificate or clear the server name check.
How long have you been running it this way? It's a huge security risk. You might want to have your users change their passwords once you deploy the new certificate.